Voting Machines
Background Platform.For-Pgh.org * Voting_Machines-plank Madison, Wis. — Among the 15 bills Open Source Law Wisconsin Governor, Jim Doyle, signed a law in January, 2006, that requires the software of touch-screen voting machines used in elections to have its source code opened up to public viewing. :Municipalities that use electronic voting machines are responsible for providing to the public, on request, the code used. Any voting machines to be used in the state already had to pass State Elections Board tests. Electronic voting machines, in particular, already were required to maintain their results tallies even if the power goes out, and to produce paper ballots that could be used in case of a recount. The new law also requires the paper ballots to be presented to voters for verification before being stored. But of this bill's provisions, perhaps the more influential in a wider sense is the requirement that municipalities provide source code, and the more general condition that "the coding for the software that is used to operate the system on election day and to tally the votes cast is publicly accessible and may be used to independently verify the accuracy and reliability of the operating and tallying procedures to be employed at any election." The bill passed the Assembly 91-4 and the Senate 29-2. A federal Governmet Accountability Office report released in September 2005 said that specific makes of electronic voting machines nationwide have been found to store both vote tallies and audit logs in an unencrypted form that could be altered without detection and that some vendors installed uncertified versions of voting software in some machines. These reports came from individual election officials, and there was not a definite consensus, the report said, but there were enough cases of lost votes in real elections that the GAO recommended stricter policies and rules for election machines. • Link: Assembly Bill 627 (PDF) Talk back (Add your comment below) Mark Plimley: January 4, 2006 • Link to this comment Congratulations to the Governor and the people of Wisconsin for protecting the voting process with Assembly Bill 627. Although there have been other methods used to manipulate the voting process, especially in the '04 election (voter intimidation, voter suppression, i.e. not enough voting machines in heavily Democratic precincts), at least this law will plug the hole of manipulating voting machine results. Paul Crowley: January 4, 2006 • Link to this comment While distributing the source to the application can make it possible for others to verify the functionality of the software, it does not prevent fraud in any meaningful way. The first problem is that there is no means by which the source available can be verified to be the code actually operating the machine. This just places "open source" as an amusing buzzword. The second problem is that development of the software is often the largest cost item in producing such a machine. By distributing the source you enable the "cheap Chinese" knock-off where they are freed from all R&D expense. So tell us again why this is so important? Arker: January 4, 2006 • Link to this comment Please correct your headline, as it is in error. As the text of the article makes clear, this will NOT require that the voting machine code be open source. It requires only that it be available for audit. Open source refers to software which you are allowed, not only to examine, but to modify and redistribute freely. This is a huge distinction. That said, this is an obvious step to take. It's not sufficient to stop fraud by any means, but any state that doesn't adopt this requirement is positively begging for fraud to occur. As to Crowleys comments - there IS a way to verify that the code you see is the code running the system, if you have the code. You simply compile that code, and compare the binary that results to the binary actually in the device. This is trivial and obvious. Secondly, if this bill did require that the software be open source, your second argument would have merit. However, as the article text makes clear, it does not require anything of the kind. Meaning that any 'knock-off' that used that code to shortcut their development process would be liable for massive statutory damages for copyright infringement, as well as subject to immediate injunctions preventing them from continuing to produce or sell their product in nearly every country in the world. Jason Stitt, Editor: January 4, 2006 • Link to this comment Regarding the headline and the definition of open-source software, I understand people who belong to the "open-source community" can feel somewhat proprietary, if you'll pardon the pun, about the definition of the term, but there's a common, colloquial usage that refers to publicly available code, not necessarily the legality of modifications and redistribution for use. It's similar to the use of "open" in "open records laws," which refers to availability, not modifiability. (In this case, similar in content as well as word usage.) On another note, I agree you can never be completely certain that someone, somewhere isn't committing fraud. That applies to paper ballots, which could be forged, shredded or burned if the right (wrong) people are corrupt, as well as to electronic machines. The more factors are involved and open to review, the more difficult that is. We'll be following up on this story later, especially as municipalities go to work figuring out what will be used in the next major elections. bbaston: January 4, 2006 • Link to this comment Congratulations, Wisconsin, on being already the second state to take this necessary step to restoring citizen confidence in US election results. Only 48 states to go. Voting machine design can cheaply be such that source code is capable of being copyed directly from an active machine to some standard device provided by the curious voter, such as to a USB card. That way the voting individual can be assured of receiving the "real thing" and can print it out or examine it in detail on a home computer, or take it to an expert. Note to the poster Paul: Have you heard of copyright law, and software licensing? That will protect software considered proprietary by the voting machine vendor from being reused contrary to license terms. Open source GPL software, for example, is protected by copyright and licensed so that distribution requires sharing of improvements. But, what is wrong with using identical open source code for every voting machine regardless of brand? The programming logic is not complicated. Why shouldn't it be a comodity, like salt? Only the interfacing need be different, and then only IF the machine's interfaces are proprietary (not an unencumbered standard). Won't that lead to less expensive voting machines? IBM-compatible computers work that way, you know, and run Linux securely on open source software (plus that Redmond o/s and a few others). A digital voting mache is just a dedicated-use computer. Ben Charles Duffy: January 4, 2006 • Link to this comment Contrary to the suggestion provided by bbaston, enabling the voting machines to provide a copy of the source code used in their programming to the interested voter isn't adequate, because there's no proof that that source matches the running binary. Having a low-level hardware implementation that copies the binaries that the device booted against -- such that the binary can be compared against source otherwise distributed -- would be, on the other hand, an excellent approach, so long as one's opponent is incapable of tampering with said hardware. It may not make electronic voting machine fraud impossible, but certainly should make it more difficult -- and help to ensure that systems inadequately designed are publicly exposed as such. That said, making the source available for inspection is only one componont: the use of a verifiable paper record (which can be retained for use in a recount) is even more critical: Covering one's trail is considerably more difficult when the record consists of more than bits and bytes. Insights Activists say voting-machine software needs a dry run before November :By Marty Levine, September 2008, City Paper http://www.pittsburghcitypaper.ws/gyrobase/Content?oid=oid%3A52589 Carnegie Mellon professor Dave Eckhardt says county voting machines need to be tested before November, 2008. After a lengthy campaign to verify the tallies of electronic-voting machines, local activists may have finally found a testing method that elected officials believe in. Getting those officials to do something in time for the presidential election, however, is another matter. On Sept. 9, 2008, all 15 members of Allegheny County Council approved a motion "urging" the county's Allegheny County Board of Elections to test the software that tallies ballots on county voting machines. The move is necessary, the resolution contended, because "software can be changed ... with relative ease," potentially making a shambles of the county's vote. It's the third time since June 2008 that such a measure has received unanimous support, but the Board of Elections has yet to discuss the issue. That's puzzling, since two of the board's three members -- John DeFazio and Chuck McCullough -- are on County Council too. In other words, for the past three months DeFazio and McCullough have been "urging" themselves to address the issue -- then ignoring the urge. The program that voting machines use must be certified by the state and federal governments. But it's crucial to make sure that each voting machine has an exact copy of the program, says David Eckhardt, a computer-science professor at Carnegie Mellon University. Voters "should be able to understand that their vote should be recorded as cast and tallied as recorded," says Eckhardt, who has been active on this issue since before the county acquired more than 4,000 "iVotronic" touch-screen voting machines in 2006. Activists worry that the iVotronic's manufacturer, Election Systems & Software, could change its software without notifying anyone. Worse, someone could tamper with its software, prompting the machine to disgorge preprogrammed results. According to a 2007 report from Ohio's Secretary of State, the iVotronic in particular could be tampered with merely by using a magnet and a Palm Pilot. Tim Johnson, the county's director of administration, says that each voting machine is given a trial run before an election. "Although it's not specific testing of the software," Johnson says, "it is testing the specific performance of the machine which is controlled by the software." But Eckhardt contends that malicious software -- or "malware" -- would probably function perfectly until signaled to perform differently. He and others recommend testing the machines with memory-chip readers: An elections official would pull the machine's memory chip and read it, using a device that would compare the instructions on the chip to the proper code. County Executive Dan Onorato, perhaps the Election Board's most influential member, is "open to the idea" of software verification, says spokesman Kevin Evanto. "We've had these machines and used them for three elections now," he notes. "They've been operating as expected." He is uncertain why the Board hasn't addressed the subject since June, though he adds that "as far as I know, we haven't received a detailed explanation" of how verification might be done. But Eckhart says that's not for a lack of trying "Because we believe this matter affects everybody in the county and should be handled in a public fashion, we have been attempting since June 2008 to meet with the Board of Elections to present our proposal -- including attending the Sept. 2, 2008 meeting of the Board, at which we were not permitted to speak," he says. "If the Board of Elections is not the correct venue for discussion of this issue, we are of course open to suggestions from Mr. Onorato as to how we should proceed." The election board's next scheduled meeting is Oct. 21, 2008, 15 days before the election. Evanto says that may still leave enough time to conduct the verification. As for board members DeFazio and McCullough, neither responded to several inquiries from City Paper. But Council Vice President Chuck Martoni, who has been the prime force behind the motions, says DeFazio "promised he'd take some action soon." And McCullough, he says, also "seemed very interested." Ever since the mechanical-lever machines were scrapped -- part of a nationwide effort to avoid another "hanging chad" election fiasco -- locals have asked for ways to verify the vote. Before the county purchased the iVotronic machines, election-protection groups were calling for paper records on electronic voting. "Without having another software-independent mechanism" such as paper records, "we're stuck trusting the software completely," says Collin Lynch, president of VoteAllegheny. "If you intend on trusting our democracy to a piece of equipment, you just have to test" that the machine arrived as advertised. A group of 25 voters from the Pittsburgh area and points east is suing Pennsylvania's secretary of state, saying the certification process is inadequate; the plaintiffs are waiting to hear whether the state Supreme Court will take the case. Their attorney, Marian Schneider of Berwyn, Pa., points to Wayne, Lackawanna and Northampton counties, where, prior to recent elections, vendors loaded uncertified software into their machines. The incident resulted in the decertifying of that particular model. "Nationwide, people are throwing these things out," Eckhardt says, pointing to moves by Florida and Ohio to get rid of touch-screens. In August 2008, Centre County, in central Pennsylvania, became the latest county to toss out touch-screens in favor of paper ballots, which are optically scanned at the voting place and kept for a possible hand recount. Part of the problem, activists say, is that electronic machines are inscrutable. "Any auto mechanic, given a week of training, could open up our old lever machines and see if its gears are correct" and hadn't been tampered with, says Eckhardt, the computer scientist. The electronic hardware of electronic machines, with their thousands of tiny transistors, is much harder to verify. But Eckhardt says, "The low-hanging fruit here is that you can see if you have the right software." The state's lead certification tester, Michael Shamos, has long disputed activists who say a paper record is more reliable. He notes that there has not been a proven case of software tampering, and says activists are "spreading fear" about it. Pennsylvania's 67 counties "don't have personnel for testing," says Shamos, who teaches computer science at CMU. "They don't have budgets for it." And such testing would just spawn further doubt, he adds: After all, "Do we know that the chip-reading machine is not implanting malware?" But Marybeth Kuznik, the head of VotePA, remains adamant. Software testing "is the only thing that stands between us and being at the total whim of the vendors," she says. Her group is calling for all software-dependent machines to be tested similarly in each county. Verification should be done before and after each election "if it is to be done meaningfully," she says. When the machines first arrived, they were paid for with millions in federal money under the Help America Vote Act of 2002; the local League of Women Voters chapter was not in favor of them, says Suzanne Broughton, the organization's president. But when county officials asked the League to help demonstrate the machines to the public, its members found a bigger problem: People didn't know how to use the machines correctly, let alone understand how they could be tampered with. "The public had not gotten beyond the question of usability to get to the question of security," Broughton says. "I don't think that has changed." "If the federal government would drop another batch of money on us," she speculates, Onorato "might well change those machines." Links Media * P-G article: Help the voter: It's time to address electronic voting problems November 29, 2006